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Abstract 


A  study  conducted  by  the  CERT ®  Program  at  Carnegie  Mellon  University’s  Software  Engineering 
Institute  analyzed  hundreds  of  insider  cyber  crimes  across  U.S.  critical  infrastructure  sectors. 
Follow-up  work  involved  detailed  group  modeling  and  analysis  of  48  cases  of  insider  theft  of 
intellectual  property.  In  the  context  of  this  paper,  insider  theft  of  intellectual  property  includes 
incidents  in  which  the  insider’s  primary  goal  is  stealing  confidential  or  proprietary  information 
from  the  organization.  This  paper  describes  general  observations  about  and  a  preliminary  system 
dynamics  model  of  this  class  of  insider  crime  based  on  our  empirical  data.  This  work  generates 
empirically-based  hypotheses  for  validation  and  a  basis  for  identifying  mititgative  measures  in 
future  work. 


CMU/SEI-201 1-TN-013  |  ix 


CMU/SEI-201 1-TN-013  |  x 


1  Introduction 


Since  2002,  the  CERT”  Program  at  Carnegie  Mellon  University’s  Software  Engineering  Institute 
has  been  gathering  and  analyzing  actual  malicious  insider  incidents,  including  information 
technology  (IT)  sabotage,  fraud,  theft  of  confidential  or  proprietary  information,  espionage,  and 
potential  threats  to  the  critical  infrastructure  of  the  United  States.  Consequences  of  malicious 
insider  incidents  include  financial  losses,  operational  impacts,  damage  to  reputation,  and  harm  to 
individuals.  The  actions  of  a  single  insider  have  caused  damage  to  organizations  ranging  from  a 
few  lost  staff  hours  to  negative  publicity  and  financial  damage  so  extensive  that  businesses  have 
been  forced  to  lay  off  employees  and  even  close  operations.  Furthermore,  insider  incidents  can 
have  repercussions  beyond  the  affected  organization,  disrupting  operations  or  services  critical  to  a 
specific  sector,  or  creating  serious  risks  to  public  safety  and  national  security. 

CERT  insider  threat  work,  referred  to  as  MERIT  (Management  and  Education  of  the  Risk  of 
Insider  Threat),  uses  the  wealth  of  empirical  data  collected  by  CERT  to  provide  an  overview  of 
the  complexity  of  insider  events  for  organizations — especially  the  unintended  consequences  of 
policies,  practices,  technology,  efforts  to  manage  insider  risk,  and  organizational  culture  over 
time.  As  part  of  MERIT,  we  have  been  using  system  dynamics  modeling  and  simulation  to  better 
understand  and  communicate  the  threat  to  an  organization’s  IT  systems  posed  by  malicious 
current  or  former  employees  or  contractors.  Our  work  began  with  a  collaborative  group  modeling 
workshop  on  insider  threat  hosted  by  CERT  and  facilitated  by  members  of  what  has  evolved  into 
the  Security  Dynamics  Network  and  the  Security  Special  Interest  Group  of  the  System  Dynamics 
Society  [Anderson  2004], 

Based  on  our  initial  modeling  work  and  our  analysis  of  cases,  we  have  found  that  different  classes 
of  insider  crimes  exhibit  different  patterns  of  problematic  behavior  and  mitigating  measures 
[Cappelli  2009].  CERT  has  found  four  categories  of  insider  threat  cases  based  on  the  patterns  we 
have  seen  in  cases  identified:  IT  sabotage,  fraud,  theft  of  intellectual  property  (IP),  and  national 
security  espionage.  We  believe  that  modeling  these  types  of  crimes  separately  can  be  more 
illuminating  than  modeling  the  insider  threat  problem  as  a  whole.  In  this  paper,  we  focus  on  theft 
of  IP. 

We  define  insider  theft  of  IP  as  crimes  in  which  current  or  fonner  employees,  contractors,  or 
business  partners  intentionally  exceeded  or  misused  an  authorized  level  of  access  to  networks, 
systems,  or  data  to  steal  confidential  or  proprietary  information  from  the  organization.1  This  paper 
is  centered  on  two  dominant  models  found  within  the  cases:  the  Entitled  Independent  Scenario  (27 
cases)  and  the  Ambitious  Leader  Scenario  (21  cases).  We  first  define  our  approach  to  building 
these  models.  Next,  we  incrementally  build  the  models,  describing  them  as  we  go.  Finally,  we 
provide  general  observations  and  discuss  future  work.  Appendix  A  summarizes  important 
characteristics  of  the  crimes  involving  theft  of  IP.  Appendices  B  and  C  provide  an  overview  of  the 
models  developed.  We  believe  that  these  models  will  help  people  better  understand  the  complex 


CERT  is  a  registered  trademark  owned  by  Carnegie  Mellon  University. 

While  some  frameworks  include  accidental  harmful  acts  within  the  scope  of  insider  threat  [Predd  2008],  CERT 
past  and  present  work  has  focused  only  on  intentional  acts  by  an  insider. 
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nature  of  this  class  of  threat.  Through  improved  understanding  comes  better  awareness  and 
intuition  regarding  the  effectiveness  of  countermeasures  against  the  crime.  Our  work  generates 
strong  hypotheses  based  on  empirical  evidence.  Future  work  will  involve  alignment  with  existing 
theory,  testing  of  these  hypotheses  based  on  random  sampling  from  larger  populations,  and 
analysis  of  mitigation  approaches. 
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2  Related  Work 


There  is  a  vast  literature  on  counterproductive  work  behavior  (CWB),  which  is  defined  as  “any 
intentional  behavior  on  the  part  of  an  organizational  member  viewed  by  the  organization  as 
contrary  to  its  legitimate  interests”  [Sackett  2002],  This  includes  a  wide  variety  of  both  self¬ 
destructive  and  retaliatory  behaviors,  but  specifically  encompasses,  sabotage,  stealing,  fraud,  and 
vandalism.  Sackett  and  DeVore  provide  a  thorough  literature  review  and  group  the  antecedents 
into  personality  variables,  job  characteristics,  work  group  characteristics,  organizational  culture, 
control  systems,  and  injustice  [Sackett  2001].  This  work  supports  our  findings  of  personal 
predispositions  and  organizational  and  individual  stressors  as  antecedents  of  a  range  of  malicious 
activity.  Our  past  work  has  involved  modeling  insider  fraud  [Rich  2005]  and  insider  IT  sabotage 
[Moore  2008]  [Cappelli  2006]. 

The  primary  personality  model  used  in  CWB  research  is  the  Five  Factor  Model  (FFM).  The  FFM 
includes  dimensions  of  openness  to  experience,  extraversion,  conscientiousness,  agreeableness, 
and  emotional  stability.  After  reviewing  the  literature  on  the  FFM  dimensions  and  CWBs, 

Salgado  found  44  studies  conducted  between  1990  and  1999  that  examine  the  relationship 
between  the  FFM  dimensions  and  deviant  behaviors  (17),  absenteeism  (13),  work-related 
accidents  (9),  or  turnover  (5)  [Salgado  2002].  This  work  showed  that  conscientiousness  and 
agreeableness  were  significant,  valid  predictors  of  workplace  deviance.  Related  work  showed  that 
workplace  stress  [Mount  2006]  and  insider  perceived  status  within  the  organization  [Stamper 
2002]  were  correlated  with  CWBs. 

The  personal,  situational,  and  behavioral  antecedents  identified  in  the  CWB  literature  are  also 
supported  in  many  models  of  computer-related  malicious  insider  activity: 

•  the  Capability,  Motive,  Opportunity  Model  [Parker  1998]  [Wood  2000] 

•  behavioral  models  [Suler  1997]  [Shaw  1998] 

•  an  entity  relationship  model  in  a  comprehensive  characterization  framework  [Schultz  2002] 

•  a  criminological  and  social  model  [Gudaitis  1998] 

One  effort  developed  a  system  dynamics  model  to  compare  the  problem  domains  of  IT  sabotage 
and  espionage  to  identify  similarities  and  differences  between  the  two  classes  of  crimes  [Band 
2006],  This  study  was  based  on  the  espionage  and  insider  threat  data  collected  by  the  Defense 
Personnel  Security  Research  Center  (PERSEREC)  [Fischer  1993]  [Herbig  2002]  [Shaw  2005].  In 
addition,  social  science  experiments  within  organizations,  such  as  those  conducted  at  Mitre 
[Caputo  2009],  can  help  validate  hypotheses  about  the  problem  generated  through  empirical  work 
such  as  described  in  this  paper,  as  well  as  test  deterrent  measures  against  the  threat  patterns  seen 
in  cases  of  insider  compromise. 
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3  Approach 


Our  research  approach  is  based  on  the  comparative  case  study  methodology  [Yin  2002].  The  cases 
we  selected  fit  the  definition  of  theft  of  IP  described  in  Section  1.  We  identified  these  cases 
through  public  reporting  and  included  primary  source  materials,  such  as  court  records  in  criminal 
justice  databases  (found  through  searches  on  Lexis  court  databases),  and  other  secondary  source 
materials  such  as  media  reports  (found  through  searches  on  Lexis-Nexis  news  databases  and 
Internet  search  engines  such  as  Google). 

We  used  the  following  criteria  to  select  cases: 

•  The  crime  occurred  in  the  United  States. 

•  The  subject  of  the  crime  was  prosecuted  in  a  United  States  court. 

•  Sufficient  quantities  and  quality  of  data  were  available  to  understand  the  nature  of  the  case. 

We  identified  and  analyzed  48  cases  of  IP  theft  that  satisfied  these  criteria.  We  discovered  the  two 
dominant  scenarios  found  within  the  cases  (i.e.,  the  Entitled  Independent  and  Ambitious  Leader 
Scenarios)  only  through  extensive  group  discussion.  These  scenarios  seemed  to  best  make  sense 
of  the  patterns  we  saw  in  the  cases.  However,  other  views  into  the  nature  of  the  problem  are 
possible,  and  we  invite  other  researchers  to  validate  our  insights  or  discover  new  aspects  of  the 
crime  not  previously  observed.  And  we  will  continue  to  do  the  same. 

The  findings  from  case  study  comparisons  in  general,  and  our  study  in  particular,  cannot  be 
generalized  with  any  degree  of  confidence  to  a  larger  universe  of  cases  of  the  same  class  or 
category.  What  this  method  can  provide,  however,  is  an  understanding  of  the  contextual  factors 
that  surround  and  influence  the  event.  The  primary  purpose  of  our  modeling  effort  is  precisely 
that  —  to  help  people  understand  the  complex  nature  of  the  threat.  Our  models  evolved  through  a 
series  of  group  data  analysis  sessions  with  individuals  experienced  in  both  the  behavioral  and 
technical  aspects  of  insider  crimes.  We  used  system  dynamics,  a  method  for  modeling  and 
analyzing  the  holistic  behavior  of  complex  problems  as  they  evolve  over  time  [Sterman  2000]. 
System  dynamics  provides  particularly  useful  insight  into  difficult  management  situations  in 
which  the  best  efforts  to  solve  a  problem  actually  make  it  worse. 

System  dynamics  model  boundaries  are  drawn  so  that  all  the  variables  necessary  to  generate  and 
understand  problematic  behavior  are  contained  within  them.  This  approach  encourages  the 
inclusion  of  soft  (as  well  as  hard)  factors  in  the  model,  such  as  policy-related,  procedural, 
administrator,  or  cultural  factors.  In  system  dynamics  models,  arrows  represent  the  pair-wise 
influence  of  the  variable  at  the  source  of  the  arrow  on  the  variable  at  the  target  end  of  the  arrow.  A 
solid  arrow  indicates  that  the  values  of  the  variables  move  in  the  same  direction,  whereas  a  dashed 
arrow  indicates  that  they  move  in  the  opposite  direction. 

A  powerful  tenet  of  system  dynamics  is  that  the  dynamic  complexity  of  problematic  behavior  is 
captured  by  the  underlying  feedback  structure  of  that  behavior.  System  dynamics  models  identify 
two  types  of  feedback  loops:  balancing  and  reinforcing.  Significant  feedback  loops  are  indicated 
in  the  model  using  a  loop  label  appearing  in  parentheses  in  the  middle  of  the  loop.  Reinforcing 
loops  (indicated  by  a  label  with  an  R  followed  by  a  number)  describe  system  aspects  that  tend  to 
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drive  variable  values  consistently  upward  or  downward  and  are  often  typified  by  escalating 
problematic  behaviors.  Balancing  loops  (indicated  by  a  label  with  a  B  followed  by  a  number)  tend 
to  drive  variables  to  some  goal  state  and  are  often  typified  by  aspects  that  control  problematic 
behaviors.  For  those  with  color  copies  of  this  paper,  loops  are  additionally  distinguished  by  color, 
where  black  arrows  are  not  part  of  a  significant  feedback  loop. 
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4  The  Entitled  Independent  Model 


This  section  describes  the  system  dynamics  model  of  the  Entitled  Independent,  an  insider  acting 
primarily  alone  to  steal  information  to  take  to  a  new  job  or  to  his2  own  side  business. 

4.1  Entitlement 

The  degree  to  which  insiders  felt  entitled  to  information  they  stole  is  difficult  to  quantify  without 
group  interview  data.  However,  interviews  in  a  number  of  cases,  along  with  the  finding  that  60% 
of  this  class  of  insiders  stole  information  that  they  had  at  least  partially  developed  or  for  which 
they  had  signed  an  IP  agreement  supports  this  hypothesis.  Three-fourths  of  the  Entitled 
Independents  stole  information  in  their  area  of  responsibility,  and  37%  were  at  least  partially 
involved  with  the  development  of  the  information  stolen.  41%  of  the  Entitled  Independents  stole 
information  or  products  despite  having  signed  IP  agreements  with  the  organization. 

Figure  1  shows  the  escalation  of  entitlement  to  information  developed  by  the  insider.  As  shown  in 
the  upper  right  hand  corner,  an  employee  comes  into  an  organization  with  a  desire  to  contribute  to 
its  efforts.  As  the  insider  invests  time  in  developing  or  creating  information  or  products,  his 
contribution  to  the  organization  becomes  tangible.  Such  an  individual,  unlike  his  coworkers,  has 
personal  predispositions  that  result  in  a  sense  of  entitlement  to  the  information  created  by  the 
group.  This  entitlement  is  shown  in  the  self-reinforcing  loop  shown  in  purple  and  labeled  R1  in 
the  figure. 


insider  desire  to 
contribute  to 
organization 


Figure  1:  Insider  Entitlement 


92%  of  insiders  who  stole  IP  were  male.  See  Appendix  A  for  additional  details  about  insider  IP  theft. 
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This  sense  of  entitlement  can  be  particularly  acute  if  the  insider  perceives  his  role  in  the 
development  of  products  as  especially  important.  If  the  insider’s  work  is  focused  on  the 
contribution  to  a  particular  product,  for  example  a  commercial  software  package,  or  the 
development  of  specific  business  information  like  customer  contact  lists,  he  may  have  a  great 
sense  of  ownership  of  that  product  or  infonnation.  This  leads  to  an  even  greater  sense  of 
entitlement.  This  self-reinforcing  loop  is  shown  in  blue  and  labeled  R2.  In  addition,  consistent 
with  good  management  practice,  individuals  may  receive  positive  feedback  for  their  efforts, 
which  they  may  interpret  as  particularly  reinforcing,  given  their  predispositions.  In  a  recent 
insider  case,  one  of  the  authors  encountered  a  subject  at  significant  insider  risk  who  had  been  told 
his  efforts  had  saved  the  company  “millions  of  dollars.”  This  compliment  had  the  unintended 
consequence  of  reinforcing  the  entitlement  loop. 

Evidence  of  entitlement  was  extreme  in  a  few  cases.  One  Entitled  Independent,  who  had  stolen 
and  marketed  a  copy  of  his  employer’s  critical  software,  created  a  lengthy  manuscript  detailing 
his  innocence  and  declaring  that  everyone  at  the  trial  had  lied.  After  being  denied  a  raise,  another 
insider  stole  the  company’s  client  database  and  threatened  to  put  them  out  of  business  on  his  way 
out  the  door. 

4.2  Dissatisfaction  Leading  to  Compromise 

Expressed  dissatisfaction  played  a  role  in  33%  of  the  Entitled  Independent  cases.  Dissatisfaction 
typically  resulted  from  the  denial  of  an  insider’s  request,  as  shown  in  Figure  2.  Such  denied 
requests  in  the  cases  we  studied  often  involved  raises  and  benefits,  applications  for  promotion, 
and  requests  for  relocation.  Dissatisfaction  also  resulted  from  the  threat  of  layoffs  within  the 
victim  organization. 


insider  desire  to' 
contribute  to 


insider  sense  of 
loyalty  to 
organization 


Figure  2:  Insider  Dissatisfaction  Leading  to  Compromise 
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The  middle  of  Figure  2  shows  that  the  organization’s  denial  of  an  insider’s  request  leads  to  the 
insider’s  dissatisfaction,  which  in  turn  decreases  the  insider’s  desire  to  contribute.  This  also 
affects  the  insider’s  ultimate  sense  of  loyalty  to  the  organization.  Dissatisfaction  often  spurred  the 
insider  to  look  for  another  job.  Once  the  insider  receives  a  job  offer  and  begins  planning  to  go  to  a 
competing  organization,  his  desire  to  steal  information  increases.  This  desire  is  amplified  by  his 
dissatisfaction  with  his  current  employer  and  his  sense  of  entitlement  to  the  products  developed 
by  his  group.  In  a  third  of  the  cases,  the  insider  used  the  information  to  get  a  new  job  or  to  benefit 
his  new  employer  in  some  way.  In  over  a  third  of  the  cases  (37%),  the  insider  took  the 
information  just  in  case  he  ever  needed  it,  with  no  specific  plans  in  mind.  One  insider  actually 
broke  in  to  his  organization’s  office  after  he  was  terminated  to  find  out  whether  the  organization 
had  made  any  further  progress  on  the  product  he  had  helped  develop  while  he  worked  there. 

4.3  Theft  and  Deception 

The  insider’s  plan  to  go  to  a  competing  organization,  dissatisfaction  with  his  job  and/or  the 
organization,  and  his  sense  of  entitlement  to  the  products  on  which  he  has  been  working  all 
contribute  to  the  decision  to  steal  the  information.  As  shown  in  Figure  3,  eventually  the  desire  to 
steal  information  becomes  strong  enough,  leading  to  the  theft  and  the  opportunity  for  the 
organization  to  detect  the  theft.  Such  opportunities  arise  when  an  organization  observes  an 
employee’s  actions,  or  consequences  of  those  actions,  that  seem  suspicious  in  some  way.  We 
discuss  some  of  these  opportunities  later  in  this  section. 

insider  planning  to 


Concern  over  being  caught  may  make  the  insider  think  twice  about  stealing  the  information,  as 
shown  in  the  balancing  loop  labeled  Bl.  Because  our  data  consists  of  insiders  who  were  caught 
and  prosecuted,  we  do  not  know  how  many  subjects  may  be  deterred  from  insider  acts  by  such 
concerns.  However,  our  Entitled  Independents  did  not  exhibit  great  concern  with  being  caught. 
This  lack  of  concern  is  consistent  with,  and  may  be  proportional  to,  the  psychological 
predispositions  that  contribute  to  entitlement.  Such  individuals  tend  to  overestimate  their  abilities 
and  underestimate  the  capabilities  of  others.  Despite  IP  agreements  being  in  place  in  41%  of  the 
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cases,  less  than  a  quarter  of  the  Entitled  Independents  explicitly  attempted  to  deceive  the 
organization  while  taking  information. 

Nevertheless,  explicit  deception  can  lessen  the  insider’s  concern  over  being  caught  and  should  be 
anticipated  by  a  vigilant  organization.  This  is  shown  in  the  self-reinforcing  loop  labeled  R3.  This 
loop  expresses  the  relationship  between  an  insider’s  concern  over  being  caught  and  deceptions 
committed  that  would  embolden  his  theft  of  information.  The  fact  that  most  insiders  did  not  often 
feel  it  necessary  to  explicitly  deceive  the  organization  regarding  the  theft  is  interesting,  suggesting 
the  sense  of  entitlement  and  its  correlates  mentioned  previously  may  be  particularly  strong  in 
these  cases. 

While  explicit  deception  is  not  a  major  factor  in  this  class  of  crimes,  the  fact  that  it  does  occur 
needs  to  be  recognized.  For  example,  upon  announcing  his  resignation,  one  insider  lied  to  his 
manager  and  said  he  had  no  follow-on  employment,  even  though  he  had  told  a  coworker  about  his 
new  job  at  a  competitor.  As  shown  in  the  lower  right  part  of  Figure  3,  deception  may  be  an 
indicator  of  problems  to  come.  Deceptions  generally  make  it  harder  for  the  organization  to  sense 
the  risk  of  theft,  and  that  is  why  the  insider  engages  in  such  behavior.  But  if  the  organization  is 
vigilant,  deceptions  may  be  discovered,  alerting  the  organization  to  increased  risk  of  insider 
threat.  If  the  organization  in  this  example  had  detected  the  insider  had  given  contradictory 
information  to  his  manager  and  coworker,  it  may  have  been  forewarned  of  the  heightened  risk.  In 
general,  the  organization’s  accurate  understanding  of  its  risk  is  directly  related  to  its  ability  to 
detect  the  insider’s  actions.  With  sufficient  levels  of  technical  and  behavioral  monitoring,  these 
actions  may  be  discoverable.  Over  half  (52%)  of  the  Entitled  Independents  stole  information 
within  one  month  of  resignation,  which  gives  organizations  a  window  of  opportunity  for 
discovering  the  theft  prior  to  employee  termination. 

4.4  Summary 

Twenty-seven  of  the  cases  involved  insiders  acting  as  an  Entitled  Independent.  Appendix  B  shows 
the  final  model  of  the  Entitled  Independent.  In  summary,  well  over  half  of  the  insiders  who  stole 
proprietary  information  appeared  to  feel  entitled  to  that  information,  based  on  their  direct 
participation  in  the  development  of  the  stolen  information,  despite  signing  an  IP  agreement.  This 
sense  of  entitlement,  when  viewed  in  light  of  an  event  seen  as  dissatisfying  to  the  insider,  formed 
the  catalyst  for  the  insider  to  begin  looking  for  other  jobs.  Insiders  then  used  stolen  information  to 
pursue  new  opportunities.  The  Entitled  Independent  is  more  often  than  not  fully  authorized  for 
access  to  this  information  and  steals  it  very  close  to  resignation  with  very  little  planning.  In 
addition.  Entitled  Independents  frequently  act  as  if  they  are  not  doing  anything  wrong,  probably 
because  they  feel  perfectly  entitled  to  take  the  information  or  product  with  them  to  their  new  job. 
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5  The  Ambitious  Leader  Model 


This  section  describes  the  Ambitious  Leader  model.  These  cases  involve  a  leader  who  recruits 
insiders  to  steal  information  for  some  larger  purpose.  The  cases  can  be  distinguished  according  to 
whether  the  insider 

•  had  specific  plans  to  develop  a  competing  product  or  use  the  information  to  attract  clients 
away  from  the  victim  organization  (52%) 

•  was  working  with  a  competing  organization  to  help  his  new  employer  (38%) 

•  sold  the  information  to  a  competing  organization  (10%) 

It  also  describes  cases  in  which  the  insider  was  partially  motivated  by  a  desire  to  contribute  to  a 
foreign  govermnent  or  company  (we  view  this  as  an  implicit  recruitment  of  insider  help).  The  rest 
of  this  section  describes  additional  aspects  of  the  Ambitious  Leader  model  not  exhibited  by 
Entitled  Independents.  This  scenario  is  more  complex  than  the  Entitled  Independent  scenario, 
involving  more  intricate  planning,  deceptive  attempts  to  gain  increased  access,  and  recruitment  of 
other  employees  into  the  leader’s  scheme. 

The  motivation  for  the  Ambitious  Leader  model  is  almost  exactly  the  same  as  the  Entitled 
Independent  model  described  above.  The  primary  difference,  however,  is  that  there  was  little 
evidence  of  employee  dissatisfaction  in  the  Ambitious  Leader  class  ( 1 0%),  whereas  it  played  a 
more  significant  role  with  Entitled  Independents  (33%).  Insiders  in  this  scenario  were  motivated 
not  by  dissatisfaction  but  rather  by  an  Ambitious  Leader  promising  them  greater  rewards.  In  one 
case,  the  head  of  the  public  finance  department  of  a  securities  firm  organized  his  employees  to 
collect  documents  to  take  to  a  competitor.  Over  one  weekend  he  then  sent  a  resignation  letter  for 
himself  and  each  recruit  to  the  head  of  the  sales  department.  The  entire  group  of  employees 
started  work  with  the  competitor  the  following  week.  In  another  case,  an  outsider  who  was 
operating  a  fictitious  company  recruited  an  employee  looking  for  a  new  job  to  send  him  reams  of 
his  current  employer’s  proprietary  information  by  email,  postal  service,  and  a  commercial  carrier. 

Except  for  the  dissatisfaction  of  the  Entitled  Independent,  the  initial  patterns  for  Ambitious 
Leaders  are  exactly  the  same.  In  fact,  the  beginning  of  the  Ambitious  Leader  model  is  merely  the 
model  shown  in  Appendix  B  without  the  “Insider  Dissatisfaction  with  Job/Organization”  variable 
shown  in  the  middle  left  of  the  model.  Theft  took  place  even  though  IP  agreements  were  in  place 
for  about  half  (48%)  of  the  Ambitious  Leader  cases.  In  at  least  one  case,  the  insider  lied  when 
specifically  asked  if  he  had  returned  all  proprietary  information  and  software  to  the  company  as 
stipulated  in  the  IP  agreement  he  had  signed.  He  later  used  the  stolen  software  to  develop  and 
market  a  competing  product  in  a  foreign  country.  Most  (86%)  of  the  insiders  in  the  Ambitious 
Leader  cases  stole  information  or  products  in  their  area  of  job  responsibility,  with  over  half  (62%) 
at  least  partially  involved  in  developing  the  information  or  product  stolen. 

5.1  Insider  Planning  of  Theft 

The  Ambitious  Leader  cases  involved  a  significantly  greater  amount  of  planning  than  the  Entitled 
Independent  cases,  particularly  the  recruitment  of  other  insiders.  Other  forms  of  planning 
involved 
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•  creating  a  new  business  (43%) 

•  coordinating  with  a  competing  organization  (43%) 

•  collecting  information  in  advance  of  the  theft  (38%) 

This  aspect  of  the  insider  behavior  is  reflected  in  the  balancing  loop  labeled  B2  in  Figure  4.  The 
B2  loop  parallels  the  loop  B 1  from  the  Entitled  Independent  model  in  Figure  3  but  describes  an 
additional  dimension:  the  insider’s  plans  to  steal  information  prior  to  the  actual  theft.  This 
potential  additional  point  of  exposure  of  the  impending  theft  includes  the  extensive  planning 
described  above  and  measures  by  the  insider  to  hide  his  actions.  Most  of  the  Ambitious  Leader 
cases  involved  planning  by  the  insider  a  month  or  more  before  the  insider’s  departure  from  the 
organization  (71%).  In  almost  half  of  the  cases,  the  actual  theft  took  place  a  month  or  more  before 
the  insider’s  departure  (43%).  One  insider  planned  with  a  competing  organization  abroad  and 
transferred  documents  to  the  company  for  almost  two  years  prior  to  her  resignation. 

insider  planning  to 


Figure  4:  Theft  Planning  by  Ambitious  Leader 

Forty-three  percent  of  the  insiders  used  deception  to  hide  their  plans  for  the  theft  of  IP.  The  self- 
reinforcing  loop  labeled  R3  is  twice  as  strong  for  Ambitious  Leaders  than  for  Entitled 
Independents.  In  almost  half  of  the  cases  (48%),  the  organization  had  IP  agreements  with  the 
insiders  explicitly  stating  the  organization’s  ownership  of  the  stolen  information.  In  fact,  there 
were  only  a  few  cases  in  which  an  IP  agreement  was  in  place  between  the  organization  and  the 
insider  but  no  deception  was  committed  by  the  insider.  This  provides  a  working  hypothesis 
regarding  the  effectiveness  of  an  organization’s  efforts  to  promote  its  concern  about  IP  theft.  If 
the  organizations  involved  publicized  its  concern  and  pursued  violations,  this  may  have  increased 
the  odds  of  deception  while  providing  another  observable  indicator  of  insider  risk. 
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5.2  Increasing  Access 

The  amount  of  planning  by  the  Ambitious  Leader  and  insider  subordinates  he  has  recruited 
appears  to  depend  on  the  extent  to  which  any  one  participant  has  access  to  all  of  the  information 
targeted  for  theft.  The  more  segregation  of  privilege,  the  more  planning,  participation,  and 
coordination  are  needed  to  commit  the  theft.  In  over  half  (52%)  of  the  Ambitious  Leader  cases, 
the  lead  insider  had  authorization  for  only  part  of  the  information  targeted  and  had  to  take  steps  to 
gain  additional  access.  In  the  case  involving  the  transfer  of  proprietary  documents  to  a  foreign 
company,  the  lead  insider  asked  her  supervisor  to  assign  her  to  a  special  project  that  would 
increase  her  access  to  highly  sensitive  information.  She  did  this  just  weeks  prior  to  leaving  the 
country  with  a  company  laptop  and  numerous  company  documents,  both  physical  and  electronic. 

As  shown  on  the  right  side  of  Figure  5,  the  recruitment  of  additional  insiders  is  the  primary  means 
Ambitious  Leaders  use  to  gain  access  to  more  information.  The  need  for  recruitment  increases  the 
amount  of  planning  activity  necessary  to  coordinate  insider  activities.  As  shown  in  the  self- 
reinforcing  loop  labeled  R4  in  Figure  5,  as  the  insider  invests  more  time  and  resources  into  the 
plans  for  theft  and  movement  to  the  competing  organization,  it  is  less  and  less  likely  that  they  will 
back  out  of  those  plans. 
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Figure  5:  Increasing  Access  by  the  Ambitious  Leader 

While  we  can’t  know  for  sure  that  the  R4  loop’s  self-reinforcement  of  insider  criminal  behavior  is 
what  is  happening  in  these  cases,  there  is  strong  evidence  in  the  psychological  literature  for  the 
“sunk  cost  effect”  [Sastry  1998].  The  sunk  cost  effect  involves  an  irreversible  investment  (e.g., 
time  spent  planning  a  theft  that  decision-makers  consider  as  powerful  motivation  to  continue  the 
action).  The  further  investment  is  justified  not  in  terms  of  the  initial  rationale  but  because  so  much 
has  already  been  invested  [Staw  1989], 
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There  is  evidence  of  this  self-reinforcing  pattern  in  one  case  of  a  job-hunting  insider  who  met 
someone  online  who  falsely  claimed  to  own  a  competing  business.  While  the  insider  was  at  first 
reluctant  to  send  proprietary  information,  as  the  “friendship”  grew  and  requests  for  confidential 
information  repeated,  the  insider  seemed  unable  to  stop  herself  from  gradually  sending  more  and 
more  of  her  employer’s  confidential  information  to  the  outsider.  This  indicates  that  insiders  may 
be  reluctant  to  back  out  of  the  plans  because  others  are  depending  on  them  to  carry  out  their  part 
of  the  crime,  not  the  least  of  which  is  the  Ambitious  Leader.  At  this  point  in  the  endeavor,  the 
recruited  insider  is  also  subject  to  the  same  sanctions  as  the  internal  Ambitious  Leader  if  their 
actions  are  discovered.  In  addition,  the  insider  recruited  by  the  Ambitious  Leader  outside  the 
organization  is  also  subject  to  blackmail  once  they  have  participated  in  the  theft.  The  social  costs 
of  withdrawal  from  the  scheme  may  therefore  be  too  high,  thus  further  motivating  insiders  to 
continue  their  involvement,  even  if  they  know  it  is  wrong  and  would  like  to  back  out. 

5.3  Organization  Discovery  of  Theft 

There  are  many  more  avenues  for  an  organization  to  detect  heightened  risk  of  insider  theft  of  IP  in 
Ambitious  Leader  cases  than  in  Entitled  Independent  cases.  Entitled  Independents  are  often  fully 
authorized  to  access  the  information  they  steal,  and  do  so  very  close  to  resignation  with  very  little 
planning.  In  addition,  Entitled  Independents  infrequently  act  as  if  they  are  doing  anything  wrong, 
probably  because  they  feel  a  proprietary  attachment  to  the  information  or  product.  Ambitious 
Leaders,  on  the  other  hand,  often  have  to  gain  access  to  infonnation  for  which  they  are  not 
authorized.  This  involves,  in  part,  coordinating  the  activities  of  other  insiders  and  committing 
deception  to  cover  up  the  extensive  planning  required. 

Figure  6  illustrates  the  avenues  available  for  an  organization  to  continually  assess  the  risk  they 
face  regarding  theft  of  IP.  The  bottom  of  the  figure  shows  the  discovery  of  insider  deception. 
Because  deception  is  such  a  prominent  factor  in  Ambitious  Leader  cases,  its  discovery  may  be  a 
better  means  to  detect  heightened  insider  risk  here  than  in  Entitled  Independent  cases. 
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Figure  6:  Organization  Discovery  of  Theft  of  IP  in  Ambitious  Leader  Cases 
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In  some  of  the  cases  we  reviewed,  the  organization  found  out  about  the  theft  because  the  insider 
tried  to  use  the  information.  Two  primary  uses  were  observed:  marketing  of  the  competing 
product  to  the  general  public  or  to  the  victim  organization’s  customers,  and  soliciting  the  business 
of  the  victim  organization’s  customers.  While  these  two  uses  are  not  extremely  different,  they  do 
differ  based  on  what  was  stolen — in  the  first  case,  the  organization’s  product  (e.g.,  software 
system)  and,  in  the  second  case,  client  information  (e.g.,  organization  business  plans  or  client 
points  of  contact).  In  one  case,  the  insider  had  stolen  source  code  for  a  product  being  marketed  by 
his  previous  employer  and  was  demonstrating  a  slightly  modified  version  at  a  trade  show. 
Unfortunately  for  him,  his  previous  co-workers  observed  the  activity  and  alerted  the  authorities. 
While  this  detection  is  later  than  one  would  prefer,  it  is  still  not  too  late  to  take  action  and  prevent 
further  losses. 

Organizations  could  use  technical  monitoring  systems  to  achieve  earlier  detection  of  insider  plans 
to  steal,  or  actual  theft,  of  IP.  Over  half  (52%)  of  the  Entitled  Independents  and  almost  two-thirds 
(62%)  of  the  Ambitious  Leader  insiders  stole  information  within  one  month  of  resignation.  Many 
of  these  involved  large  downloads  of  information  outside  the  patterns  of  normal  behavior  by  those 
employees.  In  over  a  quarter  (29%)  of  the  Ambitious  Leader  cases,  an  insider  emailed  or 
otherwise  electronically  transmitted  information  or  plans  from  an  organizational  computer. 
Keeping  track  of  backup  tapes  is  also  important  —  in  the  case  described  in  the  previous  paragraph, 
the  insider  took  the  backup  tape  from  his  computer  on  his  last  day  of  work.  Understanding  the 
potential  relevance  of  these  types  of  precursors  provides  a  window  of  opportunity  for 
organizations  to  detect  theft  prior  to  employee  termination. 

Of  course,  the  earlier  an  organization  can  become  aware  of  such  plans  the  better.  Early  awareness 
depends  on  behavioral  as  well  as  technical  monitoring  and  is  more  likely  to  catch  incidents 
involving  Ambitious  Leaders  than  Entitled  Independents.  In  Ambitious  Leader  scenarios,  the 
organization  needs  to  look  for  evolving  plans  and  collusion  by  insiders  to  steal  information, 
including  attempts  to  gain  access  to  information  over  and  above  that  for  which  an  employee  is 
authorized.  There  were  behavioral  or  technical  precursors  to  the  crime  in  all  of  the  Ambitious 
Leader  cases.  One  insider,  over  a  period  of  several  years,  exhibited  suspicious  patterns  of  foreign 
travel  and  remote  access  to  organizational  systems  while  claiming  medical  sick  leave.  It  is  not 
always  this  blatant,  but  signs  are  often  observable  if  an  organization  is  vigilant. 

5.4  Insider  IP  Theft  Benefiting  a  Foreign  Entity 

Twelve  of  the  48  cases  (25%)  of  IP  theft  were  intended  to  benefit  a  foreign  government  or 
company.  All  of  these  cases  fit  the  model  of  the  Ambitious  Leader  scenario  and  were  included  in 
the  statistics  reported  in  this  section.  In  these  cases,  loyalty  to  their  native  country  trumped  loyalty 
to  the  employer.  Similar  to  the  way  insiders  in  the  other  cases  were  motivated  by  an  Ambitious 
Leader,  insiders  with  an  affinity  toward  a  foreign  country  were  motivated  by  the  goal  of  bringing 
value  to,  and  sometimes  eventually  relocating  in,  that  country.  In  all  of  the  Ambitious  Leader 
cases,  there  is  an  influencing  individual  and  motive  acting  on  the  subject  to  promote  the  criminal 
act. 
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5.5  Summary 

Twenty-one  of  the  48  cases  involved  Ambitious  Leaders  acting  as  the  insider  or  guiding  the 
insider  to  steal  information.  The  final  model  of  the  Ambitious  Leader  is  shown  in  Appendix  C. 
Ambitious  Leader  cases  involved  more  planning  and  deception,  as  there  was  more  coordination 
necessary  between  insiders  and  greater  understanding  of  the  impropriety  involved.  This  combined 
with  the  fact  that  at  least  some  of  the  theft  often  occurred  within  a  month  of  the  insider’s 
departure  means  there  were  many  chances  for  an  organization  to  detect  the  heightened  risk  of 
Ambitious  Leader  attacks.  In  some  cases,  the  Ambitious  Leader  was  an  agent  of  a  foreign  interest, 
and  the  theft  of  information  was  geared  toward  the  benefit  of  a  foreign  entity. 
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6  Conclusion 


This  paper  describes  two  models  of  insider  theft  of  IP.  Section  4  presents  the  model  of  the 
Entitled  Independent.  Section  5  presents  the  model  of  the  Ambitious  Leader.  While  these  two 
models  overlap  significantly,  the  Ambitious  Leader  Model — which  extends  the  Entitled 
Independent  Model — has  more  potential  indicators  for  early  warning.  Together  these  two  models 
present  the  big  picture  of  insider  theft  of  IP  and,  though  preliminary,  form  our  essential 
contribution. 

These  models  were  developed  using  empirical  data  from  cases  involving  actual  insider 
compromise.  The  frequencies  derived  from  our  analysis  are  given  in  Table  1.  The  primary 
hypotheses  derived  from  our  analysis  of  the  cases  are 

•  Entitled  Independents  often  show  signs  of  job  dissatisfaction. 

•  Insiders  who  steal  IP  almost  always  steal  information  within  the  area  of  their  job 
responsibility  and  are  usually  at  least  partially  involved  with  the  development  of  that 
information.  Entitled  Independents  are  more  likely  to  exhibit  this  property  than  are 
Ambitious  Leaders. 

•  Ambitious  Leaders  engage  in  a  significant  amount  of  planning  of  the  theft  of  IP. 

•  Ambitious  Leaders  often  start  stealing  information  more  than  a  month  prior  to  their  departure 
from  the  organization. 

•  Insiders  who  steal  IP  usually  steal  at  least  some  of  the  information  within  a  month  of  their 
resignation. 

•  Ambitious  Leaders  often  engage  in  explicit  deceptions  concurrently  with  committing  their 
crime. 

•  Insiders  who  steal  IP  are  more  likely  to  engage  in  explicit  deceptions  when  they  have 
previously  signed  an  IP  agreement. 

•  Insiders  who  steal  IP  are  more  likely  to  recruit  other  insiders  if  they  need  information  outside 
of  their  job  responsibility. 

•  As  insiders  invest  more  time  and  resources  into  the  planning  the  theft,  it  is  less  and  less 
likely  that  they  will  back  out  of  those  plans. 
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Table  1:  Key  Aspects  of  Insider  Theft  of  IP  Cases 


Entitled 

Independent 

Ambitious 

Leader 

Overall 

signs  of  job 
dissatisfaction 

33% 

10% 

23% 

disregarded  IP 
agreement 

41% 

48% 

44% 

planning  more  than 
one  month  before 
departure 

33% 

71% 

50% 

stole  within  area  of 
job  responsibility 

74% 

86% 

79% 

at  least  partially 
developed 
information  stolen 

37% 

62% 

48% 

started  stealing  more 
than  one  month 
before  departure 

19% 

43% 

29% 

stole  within  one 
month  of  resignation 

52% 

62% 

56% 

explicit  deception 

22% 

43% 

31% 

This  work  has  focused  on  gaining  a  more  rigorous  understanding  of  the  nature  of  the  threat  and 
providing  an  effective  means  for  communicating  that  to  the  general  public.  We  have  found  that 
the  system  dynamics  approach  helped  to  structure  and  focus  the  team’s  discussion.  This  was 
particularly  important  since  members  of  the  team,  by  necessity,  came  from  the  different 
disciplines  of  psychology  and  infonnation  security.  The  models  also  provided  a  concrete  target 
for  validation  through  mapping  to  observables  exhibited  by  the  real-world  cases. 

Of  course,  this  is  only  the  beginning  of  the  work.  Future  work  needs  to  further  validate  the 
hypotheses  embodied  in  the  model.  Model  validation  will  occur  only  incrementally  as  we  and 
other  researchers  study  the  theft  of  IP  class  of  crimes  to  substantiate  (or  refute)  the  hypotheses 
generated  in  our  study.  Further  model  validation  (perhaps  using  simulation)  will  likely  require 
richer  data  than  we  had  available  to  us  in  this  study.  In  addition,  our  ultimate  concern  is  to 
develop  effective  measures  to  counter  the  problem  of  theft  of  IP.  Significant  methodological  and 
data  challenges  must  be  overcome  before  research  on  insider  activity  can  be  soundly  prescriptive 
for  mitigation  policies,  practices,  and  technology.  However,  we  cannot  overestimate  the 
importance  of  looking  at  the  total  context  of  adverse  insider  behavior  for  understanding  why  these 
events  happened  and  how  they  might  be  prevented  in  the  future. 

By  using  the  system  dynamics  approach,  we  will  attempt  to  assess  the  weight  and  interrelatedness 
of  personal,  organizational,  social,  and  technical  factors.  We  expect  future  work  to  use  modeling 
and  simulation  to  identify  and  evaluate  the  effectiveness  of  deterrent  measures  in  the  workplace, 
such  as  those  suggested  in  Data  Theft:  A  Prototypical  Insider  Threat  [McCormick  2008]. 
Experiments  such  as  those  conducted  at  Mitre  can  also  help  validate  hypotheses  about  the 
problem  and  test  deterrent  measures  [Caputo  2009].  Prospective  studies  of  these  phenomena  will 
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always  be  challenging  because  of  low  base  rates.  In  the  meantime,  system  dynamics  modeling  and 
experimental  studies  based  on  available  empirical  data  can  bridge  this  methodological  gap  and 
translate  the  best  available  data  into  implications  for  policies,  practices,  and  technologies  to 
mitigate  insider  threat. 


CMU/SEI-201 1-TN-013  |  18 


Appendix  A:  Nature  of  Insider  IP  Theft  for  Business 
Advantage 


Who  were  the  insiders? 

•  92%  of  the  insiders  who  stole  IP  were  male  (males  comprise  78%  of  CERT’s 
overall  case  repository  where  gender  is  known). 

•  56%  held  technical  positions  (technical  positions  comprised  48%  of  the 
overall  case  repository  where  positions  were  known). 

•  75%  were  current  employees  when  they  committed  their  illicit  activity  (current 
employees  comprise  74%  of  CERT’s  case  repository  where  employment 
status  is  known). 

•  65%  of  the  insiders  had  already  accepted  positions  with  another  company  or 
had  started  a  competing  company  at  the  time  of  the  theft. 

Why  did  they  do  it? 

•  35%  of  the  insiders  stole  the  information  to  gain  an  immediate  advantage  at 
a  new  job. 

•  In  25%  of  the  cases,  the  insider  gave  the  information  to  a  foreign  company  or 
government  organization.  The  average  financial  impact  for  cases  involving 
the  benefit  for  a  foreign  entity  was  over  four  times  that  of  domestic  IP  theft. 

When  did  the  attacks 
happen? 

•  78%  of  the  crimes  were  committed  during  working  hours  when  the  time  of 
theft  was  known  (26%  of  the  overall  CERT  repository  of  cases  were 
committed  during  work  hours). 

•  56%  stole  within  a  month  of  their  departure  from  the  organization  (this 
characteristic  drops  to  9%  when  viewed  across  all  crimes  in  the  CERT 
repository). 

•  Less  than  one-third  of  the  insiders  continued  their  theft  for  more  than  one 
month;  and  of  those  that  did  so,  roughly  one-quarter  of  them  stole  the 
information  for  a  side  business,  and  roughly  three-quarters  to  take  to  a  new 
employer. 

How  did  they  attack? 

•  Almost  three-quarters  of  the  insiders  had  authorized  access  to  the 
information  stolen  at  the  time  of  the  theft.  (31  %  of  the  insiders  across  all 
crimes  had  authorized  access  at  the  time  of  the  theft). 

3 

•  None  of  the  insiders  had  privileged  access,  which  enabled  them  to  commit 
the  crime  (8%  of  all  crimes  involved  an  insider  with  privileged  access). 

•  In  approximately  19%  of  the  cases,  the  insider  colluded  with  at  least  one 
other  insider  to  commit  the  crime  (insiders  collaborated  with  accomplices 

24%  of  the  time  overall). 

•  The  insider  was  actively  recruited  by  someone  outside  the  organization  in 
only  25%  of  the  cases. 

•  65%  of  the  insiders  attacked  at  the  workplace  (15%  attacked  remotely, 
accessing  their  employers’  networks  from  their  homes  or  from  another 
organization.  In  25%  of  the  cases,  the  location  of  the  attack  was  unknown.) 

How  was  the  theft  detected? 

•  Many  of  these  incidents  were  detected  by  non-technical  means,  such  as 

o  notification  by  a  customer  or  other  informant 
o  detection  by  law  enforcement  investigating  the  reports  of  the  theft 
by  victims 

o  reporting  of  suspicious  activity  by  co-workers 
o  sudden  emergence  of  new  competing  organizations 

•  The  most  likely  person  to  discover  an  insider  theft  is  a  non-technical 
employee.  In  cases  where  we  were  able  to  isolate  the  person  who 
discovered  the  incident,  72%  were  detected  by  non-technical  employees 
(non-technical  employees  were  responsible  for  discovering  insider  crime  in 

1 1  %  of  the  overall  CERT  case  repository). 

What  were  the  impacts? 

•  In  31%  of  the  cases,  proprietary  software  or  source  code  was  stolen  (insiders 
targeted  software  in  10%  of  the  entire  CERT  case  repository). 

Such  as  that  given  to  a  system  or  database  administrator. 


CMU/SEI-201 1-TN-013  |  19 


17%  of  cases  involved  business  plans,  proposals,  and  other  strategic  plans 
(insiders  targeted  business  plans  in  4%  of  the  entire  CERT  case  repository). 
31%  involved  product  information,  such  as  product  designs  or  formulas 
(trade  secrets  were  stolen  in  7%  of  the  cases  in  CERT’s  repository, 
regardless  of  crime  type). 

15%  involved  customer  lists  or  customer  data  (this  information  was  targeted 
29%  of  the  time  across  all  crimes). 

10%  involved  the  organization’s  physical  property  (physical  property  was  the 
target  in  6%  of  the  overall  CERT  case  repository). 
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Appendix  B:  Entitled  Independent  Model  for  Insider  IP  Theft 


...  ,  .  __ — insider  sense  of 

insider  desire  to  loyalty  to 

contribute  to  organization 
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Appendix  C:  Ambitious  Leader  Model  for  Insider  IP  Theft 


insider  committment 
to  competitor/side 
business 


insider  desire  to' 
contribute  to 


insider  sense  of 
loyalty  to 
organization 


(R4) 


insider  time  and 
resources 
invested  in  plan 
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